2023 The First Half Activities Summary of Ransomware Threat Actors (EN)

Executive Summary

NSHC Threat Research Lab has analyzed information about hacking groups that have used Ransomware during the first half of 2023. Hacking activities using Ransomware have been continuously occurring up to now and it has been confirmed that the effects caused by the dissemination of Ransomware with the purpose of obtaining monetary compensation are great.

Therefore, it is necessary to prepare prevention and response systems based on information about the attack techniques and tools used by hacking groups using malware recently. This report describe the attack techniques and attack tools used by hacking groups using malware and information about infrastructure.

Activities of Hacking Groups Using Ransomware

Based on the data and information collected and analyzed by the NSHC Threat Research Lab from January 1, 2023 to June 30, 2023, a total of 141 hacking events related to Malware were confirmed in the first half of 2023.

[Figure 1: Monthly Status of Ransomware Events in the First Half of 2023]

Hacking groups using malware can be classified into cybercrime groups aiming to obtain financial gains and hacking groups receiving government support for special purposes. It has been confirmed that in the first half of 2023, 97% of the hacking activities of cybercrime groups were using malware. Therefore, it has been confirmed that the purpose of malware detected in the first half of 2023 is mainly to obtain financial gains.

[Figure 2: Statistics on Ransomware Hacking Groups in the First Half of 2023]

Classifying the regions where hacking groups using malware have been discovered, as shown in Figure 3, it has been confirmed that most hacking activities were conducted on organizations located in Europe and North America.

[Figure 3: Statistics of Areas Targeted in the First Half of 2023]

Additionally, the countries that were the targets of hacker groups using malware during the first half of 2023 were found to be the highest with the United States at 23.37%, followed by Germany and France in the higher rankings.

[Figure 4: National Statistics Targeted in the First Half of 2023]



In the first half of 2023, it was confirmed that hacking groups using Malware conducted the most hacking activities targeting personnel or systems working in the manufacturing, financial and commercial facilities sector. It is analyzed that these hacking groups, which are active for cybercrime purposes, become the main targets of hacking activities using Malware when a Malware attack occurs, resulting in significant damage to production activities.

[Figure 5: Statistics of Industries Targeted in the First Half of 2023]

ATTACK TECHNIQUES OF HACKING GROUPS USING MALWARE

1. VULNERABILITY EXPLOITATION

Hacking groups using malware have been found to check if vulnerable versions of software exist in the target organization and use the vulnerabilities of this software for attack. According to a survey conducted in the first half of 2023, the most exploited software vulnerabilities by hacking groups using malware are shown in Table 1.

Vulnerability Type of Vulnerability Target

CVE-2021-21974

Remote Code Execution Vulnerability VMware ESXi OpenSLP Services

CVE-2022-41082

Remote Code Execution Vulnerability

Microsoft Exchange Server

CVE-2023-27350

Improper Access Control Vulnerability

PaperCut MF/NG Improper

CVE-2022-41080

Privilege Escalation Vulnerability

Microsoft Exchange Server

CVE-2021-27876

File Access Vulnerability

Veritas Backup Exec Agent

CVE-2021-27877

Improper Authentication Vulnerability

Veritas Backup Exec Agent

CVE-2021-27878

Command Execution Vulnerability

Veritas Backup Exec Agent

CVE-2021-34527

Remote Code Execution Vulnerability

Microsoft Windows Print Spooler

CVE-2021-40539

Authentication Bypass Vulnerability

Zoho ManageEngine ADSelfService Plus

CVE-2022-29499 Data Validation Vulnerability

Mitel MiVoice Connect

[Table 1: List of Vulnerabilities Utilized by Hacking Groups Using Malware]

Hacking groups using malware have been found to heavily utilize Remote Code Execution Vulnerabilities (RCE) which allow them to remotely execute certain commands, as well as Improper Access Control Vulnerabilities which allow them to control access to files and directories, and other resources on the target of attack.

Of the particularly identified vulnerabilities, eight out of the top ten were identified as applications classified as servers. When an attack is performed by exploiting the vulnerabilities on the server, not only can the attacker gain persistent access and evade detection by elevating privileges, but also gain access to sensitive data, and can spread the damage by performing internal reconnaissance (Lateral Movement). It is confirmed that attackers target servers to exploit such characteristics.

[Figure 6: Statistics on the use of vulnerabilities by hacking groups using Malware]

2. OPEN-SOURCE TOOLS AND FREEWARE UTILIZATION

Hacking groups using malware are known to use Open-Source tools and Freeware for moving within the target organization and spreading malware. It was confirmed that the most frequently used Open-Source tools and Freeware by hacking groups using malware during the first half of 2023 were “AnyDesk”, which provides remote control functions.

Additionally, the group utilized widely known credential collecting tools, “Mimikatz” and “Rclone” which aids to manage cloud storage services remotely with command-line commands occupying the place.

[Figure 7: Tool Statistics Utilized By Hacking Groups Using Malware]

[Figure 8: AnyDesk Homepage Screen]

Based on the results of checking the characteristics of the tools used mainly by hacking groups using malware, programs that can remotely control the targets of attack or tools to collect and manage account information to gain administrator privileges were found to be used. In addition, file transfer programs used to move data collected from the target of attack to the outside, as well as cloud storage related programs, are also often used.

Tool

Tool Function

Link

AnyDesk

Remote Controlling Programme https://anydesk.com/

mimikatz

Collecting Windows Credential Information

https://github.com/gentilkiwi/mimikatz

Rclone

Cloud Storage Service

https://rclone.org/

Splashtop

Remote Controlling Program

https://www.splashtop.com/

PuTTY

Remote Controlling Program

https://www.putty.org/

PsExec

Remote Controlling Program

https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

MEGA

Cloud Storage Service

https://mega.io/

Cobalt Strike

Penetration Testing

https://www.cobaltstrike.com/

FileZilla

File Transfer Program

https://filezilla-project.org/

AdFind

Collecting Windows Active Directory Information

http://www.joeware.net/freetools/tools/adfind/

[Table 2: List of Tools Used by Hacking Groups Utilizing Malware]

INFRASTRUCTURE OF HACKING GROUPS USING MALWARE

When a ransomware detects that data has been encrypted in the system of the targeted organization, it generates a ransom note indicating the procedures of making financial payments to the hacking group that has used the ransomware. Generally, the generated ransom note contains infrastructure details such as methods to communicate with the hacking groups or a cryptocurrency wallet address to receive the ransom.

During the first half of 2023, it was confirmed that the infrastructure used by hacking groups utilizing Ransomware existing on Ransom Note was mainly consisting of Onion domains, email addresses, and social media platforms.

During the first half of 2023, analysis if infrastructure indicated in the ransom note shows that Onion domains, email addresses and social media platform were commonly utilized by hacking groups using ransomware. Among them, Onion domains were utilized most frequently.

[Figure 9: Infrastructure Statistics of Hacking Groups Using Malware]

1.ONION DOMAIN ADDRESS UTILIZATION

The Onion domain is a unique domain that is only accessible through Tor Browser, which is used to access the Deep and Dark web. The domain is often utilized by attackers as it provides anonymity, making the process of tracking difficult.

The reason to why hacking groups using ransomwares utilize the Onion domain could be classified into three main categories. Firstly, hacking groups may use it to publish the list of victimized organizations. Secondly, it is used as a contact point for the victimized companies. In this case, the group uses a unique ID provided in the ransom note as a means of identifying the victim. Lastly, there are cases where websites are operated with multiple contents, including those that are unrelated to ransomwares.

Among ransomware identified in the first half of 2023, it was found that Onion domains were most commonly used to publish the list of companies that had been targeted by the hacking groups.

[Figure 10: Statistics of Group Utilization of Onion Domains Using Malware]

1) Publishing lists of victimized companies

Hacking groups employing ransomware utilize Onion domain addresses for the purpose of publishing lists of victimized companies. When doing so, they publicly disclose certain stolen data, such as file names and file paths, through file-sharing websites, thereby demonstrating that they have successfully exfiltrated the target’s data. Additionally, they often indicate a deadline for monetary transactions, creating an atmosphere of pressure to pay the ransom for data recovery.

[Figure 11: Utilizing Onion Domain Addresses Operated For The Purpose Of Posting A List Of Affected Companies (1)]

[Figure 12: Utilizing Onion Domain Addresses Operated for the Purpose of Posting a List of Victim Companies (2)]

2) Contacting specific attack targets

In the case of using Onion domains as a means of contacting the victimized companies, access is granted only after entering a specific string. The specific string used to differentiate the targets are called differently across various ransomware groups, such as “Personal ID” or “Decryption ID”, and they are provided in the ransom note generated during the target data encryption process.

[Figure 13: Onion Address Operated for the Purpose of Contacting Specific Attack Targets]



3) Others

Some ransomware hacking groups were identified to be selling drugs and hacking tools in their Onion domain address, on top of ransomware.

[Figure 14: Screen of Onion Website Utilized for Multiple Purposes]

2. Social Media Platform Utilization

Ransomware hacking groups predominantly utilize the social media platform Tox, accounting for 65% of their contact methods with their targets. Tox is a messenger service that does not require personal information such as phone numbers or email addresses during registration, and it offers encryption features similar to Telegram, thus it has been observed that Tox messenger applications are actively employed by these groups.

[Figure 15: Statistics of Social Media Platforms Utilized by Hacking Groups Using Malware]

[Figure 16: Tox Settings Screen]

3. Email Domain

Ransomware hacking groups also employ email as a means to contact their targets, with the most frequently used email domain being “onionmail.org,” accounting for 30% of their communications. The “onionmail.org” domain is preferred for its ability to encrypt emails using PGP keys and ensure anonymity, making it the top choice for these groups.

[Figure 17: Statistics on Email Domains Used by Ransomware Hacking Groups]

[Figure 18: Onion Mail Homepage]

4. TYPES OF CRYPTOCURRENCIES

Ransomware hacking groups have been utilizing cryptocurrencies as a means to receive monetary gains from their victims. Cryptocurrencies offer the advantage of anonymity, as only the transaction address and ID are recorded, with no personal information being publicly disclosed. This characteristic allows these groups to conceal their identities and evade tracking by law enforcement agencies, making cryptocurrencies the preferred form of payment for the funds they receive.

During the first half of 2023, it has been confirmed that ransomware hacking groups have used four types of cryptocurrencies: Bitcoin (BTC), Ethereum (ETH), Monero (XMR), and Litecoin (LTC). Among these, Bitcoin is the most widely used, constituting 86% of their transactions. Bitcoin is a well-known cryptocurrency with high public awareness and accessibility, making it the preferred choice for ransomware hacking groups to receive payments.

Cryptocurrency

Symbol

Characteristics

Bitcoin

BTC

The oldest, widely recognized and able to operate without involvement of central authorities

Ethereum

ETH

A highly flexible cryptocurrency platform capable of executing smart contracts

Monero

XMR

A cryptocurrency that prioritizes privacy and anonymity, concealing transactions history and ownership

Litecoin

LTC

A cryptocurrency with fast transaction processing speed and low fees

[Table 3: Cryptocurrencies Utilized by Hacking Groups Using Malware]

[Figure 19: Cryptocurrency Statistics Used by Hacking Groups Utilizing Malware in the First Half of 2023]

Conclusion

This report provides an overview of the various attack techniques and tools used by ransomware hacking groups during the first half of 2023. It illustrates that these groups have diversified their technology and infrastructure, indicating the evolving nature of their ransomware attacks.

As evident from the ransomware incident cases described in this report, ransomware attacks can lead to significant disruptions and damages, such as service outages. To mitigate such damages, it is crucial to establish preparedness and response mechanisms based on recent attack-related data and intelligence.

Therefore, obtaining cyber threat intelligence regarding the attack techniques and tools employed by ransomware hacking groups allows for the development of proactive response systems using the latest attack techniques and related data.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.